static OM_uint32
create_constrained_deleg_creds(OM_uint32 *minor_status,
krb5_gss_cred_id_t verifier_cred_handle,
krb5_ticket *ticket,
krb5_gss_cred_id_t *out_cred,
krb5_context context)
{
OM_uint32 major_status;
krb5_creds krb_creds;
krb5_data *data;
krb5_error_code code;
assert(out_cred != NULL);
assert(verifier_cred_handle->usage == GSS_C_BOTH);
memset(&krb_creds, 0, sizeof(krb_creds));
krb_creds.client = ticket->enc_part2->client;
krb_creds.server = ticket->server;
krb_creds.keyblock = *(ticket->enc_part2->session);
krb_creds.ticket_flags = ticket->enc_part2->flags;
krb_creds.times = ticket->enc_part2->times;
krb_creds.magic = KV5M_CREDS;
krb_creds.authdata = NULL;
code = encode_krb5_ticket(ticket, &data);
if (code) {
*minor_status = code;
return GSS_S_FAILURE;
}
krb_creds.ticket = *data;
major_status = kg_compose_deleg_cred(minor_status,
verifier_cred_handle,
&krb_creds,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
out_cred,
NULL,
NULL,
context);
krb5_free_data(context, data);
return major_status;
}
static OM_uint32
kg_impersonate_name(OM_uint32 *minor_status,
const krb5_gss_cred_id_t impersonator_cred,
const krb5_gss_name_t user,
OM_uint32 time_req,
krb5_gss_cred_id_t *output_cred,
OM_uint32 *time_rec,
krb5_context context)
{
OM_uint32 major_status;
krb5_error_code code;
krb5_creds in_creds, *out_creds = NULL;
*output_cred = NULL;
memset(&in_creds, 0, sizeof(in_creds));
in_creds.client = user->princ;
in_creds.server = impersonator_cred->name->princ;
if (impersonator_cred->req_enctypes != NULL)
in_creds.keyblock.enctype = impersonator_cred->req_enctypes[0];
code = k5_mutex_lock(&user->lock);
if (code != 0) {
*minor_status = code;
return GSS_S_FAILURE;
}
if (user->ad_context != NULL) {
code = krb5_authdata_export_authdata(context,
user->ad_context,
AD_USAGE_TGS_REQ,
&in_creds.authdata);
if (code != 0) {
k5_mutex_unlock(&user->lock);
*minor_status = code;
return GSS_S_FAILURE;
}
}
k5_mutex_unlock(&user->lock);
code = krb5_get_credentials_for_user(context,
KRB5_GC_CANONICALIZE | KRB5_GC_NO_STORE,
impersonator_cred->ccache,
&in_creds,
NULL, &out_creds);
if (code != 0) {
krb5_free_authdata(context, in_creds.authdata);
*minor_status = code;
return GSS_S_FAILURE;
}
major_status = kg_compose_deleg_cred(minor_status,
impersonator_cred,
out_creds,
time_req,
output_cred,
time_rec,
context);
krb5_free_authdata(context, in_creds.authdata);
krb5_free_creds(context, out_creds);
return major_status;
}
